diff --git a/nixos/tests/unbound.nix b/nixos/tests/unbound.nix index c88231636226..d4b8bb15ced6 100644 --- a/nixos/tests/unbound.nix +++ b/nixos/tests/unbound.nix @@ -27,6 +27,9 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: # disable the root anchor update as we do not have internet access during # the test execution services.unbound.enableRootTrustAnchor = false; + + # we want to test the full-variant of the package to also get DoH support + services.unbound.package = pkgs.unbound-full; }; }; @@ -81,13 +84,16 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: networking.firewall.allowedTCPPorts = [ 53 # regular DNS 853 # DNS over TLS + 443 # DNS over HTTPS ]; networking.firewall.allowedUDPPorts = [ 53 ]; services.unbound = { enable = true; allowedAccess = [ "192.168.0.0/24" "fd21::/64" "::1" "127.0.0.0/8" ]; - interfaces = [ "::1" "127.0.0.1" "192.168.0.2" "fd21::2" "192.168.0.2@853" "fd21::2@853" "::1@853" "127.0.0.1@853" ]; + interfaces = [ "::1" "127.0.0.1" "192.168.0.2" "fd21::2" + "192.168.0.2@853" "fd21::2@853" "::1@853" "127.0.0.1@853" + "192.168.0.2@443" "fd21::2@443" "::1@443" "127.0.0.1@443" ]; forwardAddresses = [ (lib.head nodes.authoritative.config.networking.interfaces.eth1.ipv6.addresses).address (lib.head nodes.authoritative.config.networking.interfaces.eth1.ipv4.addresses).address @@ -217,6 +223,14 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: expected, ["+tcp", "+tls"] + args, ) + query( + machine, + remote, + query_type, + zone, + expected, + ["+https"] + args, + ) client.start()